b'                                             U.S. SMALL BUSINESS ADMINISTRATION\n                                                 OFFICE OF INSPECTOR GENERAL\n                                                   WASHINGTON, D.C. 20416\n\n\n\n\n                                                                        TRANSMITTAL MEMORANDUM\n                                                                                  Report No. 13-04\n\nDATE:              November 14, 2012\n\nTO:                Jonathan I. Carver\n                   Chief Financial Officer\n\nFROM:              John K. Needham\n                   Assistant Inspector General for Auditing\n\nSUBJECT:           Independent Auditors\xe2\x80\x99 Report on the SBA\xe2\x80\x99s FY 2012 Financial Statements\n\nWe contracted with the independent public accounting firm, KPMG LLP (KPMG), to audit the\nU.S. Small Business Administration\xe2\x80\x99s consolidated financial statements as of September 30,\n2012, and for the years then ended. The contract required that the audits be conducted in\naccordance with Generally Accepted Government Auditing Standards; the Office of\nManagement and Budget Bulletin No. 07-04, Audit Requirements for Federal Financial\nStatements, as amended; and the U.S. Government Accountability Office\xe2\x80\x99s Financial Audit\nManual and Federal Information System Controls Audit Manual. This audit is an annual\nrequirement of the Chief Financial Officers Act of 1990.\n\nThe results of KPMG\xe2\x80\x99s audits are presented in the attached report. The report includes an\nopinion on SBA\xe2\x80\x99s financial statements, internal control over financial reporting, and compliance\nand other matters that have a direct and material effect on the financial statements. The\nindependent auditor issued an unqualified opinion on SBA\xe2\x80\x99s fiscal year 2012 consolidated\nfinancial statements. In summary, KPMG reported that:\n\n      \xe2\x80\xa2    The financial statements were fairly presented, in all material aspects, in conformity\n           with U.S. generally accepted accounting principles.\n      \xe2\x80\xa2    There were no material weaknesses in internal control.\n      \xe2\x80\xa2    There is a significant deficiency related to SBA\xe2\x80\x99s information technology security\n           controls, which is a repeat condition.\n      \xe2\x80\xa2    There is one instance of noncompliance with laws and regulations related to the Debt\n           Collection Improvement Act of 1996, which is also a repeat condition.\n\nThe report also includes one other matter related to possible violations of the Federal\nAcquisition Regulation\xe2\x80\x99s documentation retention requirements. Details regarding KPMG\xe2\x80\x99 s\nconclusions are included in the \xe2\x80\x9cCompliance and Other Matters\xe2\x80\x9d section of the Independent\nAuditors\xe2\x80\x99 Report. Within 30 days of this report, KPMG expects to issue a separate letter to\nmanagement regarding other less significant matters that came to its attention during the\naudit.\n\x0cWe reviewed a copy of KPMG\xe2\x80\x99s report and related documentation, and made necessary\ninquiries of their respective representatives. Our review was not intended to enable us to\nexpress, and we do not express, an opinion on the SBA\xe2\x80\x99s financial statements, KPMG\xe2\x80\x99s\nconclusions about the effectiveness of internal control, or its conclusions about SBA\xe2\x80\x99s\ncompliance with laws and regulations. However, our review disclosed no instances where\nKPMG did not comply, in all material respects, with Generally Accepted Government Auditing\nStandards.\n\nWe provided a draft of KPMG\xe2\x80\x99s report to SBA\xe2\x80\x99s Chief Financial Officer who concurred with its\nfindings and recommendations, and agreed to implement the recommendations. The Chief\nFinancial Officer\xe2\x80\x99s comments are attached as Exhibit IV to this report.\n\nWe appreciate the cooperation and assistance of the SBA and KPMG. Should you or your staff\nhave any questions, please contact me at (202) 205-7390 or Jeffrey R. Brindle, Director,\nInformation Technology and Financial Management Group at (202) 205-7490.\n\nAttachment\n\n\n\n\n                                              2\n\x0c                               KPMG LLP\n                               Suite 12000\n                               1801 K Street, NW\n                               Washington, DC 20006\n\n\n\n\n                                        Independent Auditors\xe2\x80\x99 Report\n\n\nInspector General,\nU.S. Small Business Administration:\n\nWe have audited the accompanying consolidated balance sheets of the U.S. Small Business Administration\n(SBA) as of September 30, 2012 and 2011, and the related consolidated statements of net cost, and changes\nin net position, and combined statements of budgetary resources (hereinafter referred to as \xe2\x80\x9cconsolidated\nfinancial statements\xe2\x80\x9d) for the years then ended. The objective of our audits was to express an opinion on\nthe fair presentation of these consolidated financial statements. In connection with our fiscal year 2012\naudit, we also considered the SBA\xe2\x80\x99s internal control over financial reporting and tested the SBA\xe2\x80\x99s\ncompliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that\ncould have a direct and material effect on these consolidated financial statements.\n\nSummary\nAs stated in our opinion on the consolidated financial statements, we concluded that the SBA\xe2\x80\x99s\nconsolidated financial statements as of and for the years ended September 30, 2012 and 2011, are presented\nfairly, in all material respects, in conformity with U.S. generally accepted accounting principles.\n\nAs discussed in our opinion on the consolidated financial statements, the SBA changed its presentation for\nreporting the statement of budgetary resources in fiscal year 2012.\n\nOur consideration of internal control over financial reporting resulted in identifying certain deficiencies,\nrelating to information technology security controls, that we consider to be a significant deficiency, as\ndefined in the Internal Control Over Financial Reporting section of this report.\n\nWe did not identify any deficiencies in internal control over financial reporting that we consider to be\nmaterial weaknesses as defined in the Internal Control Over Financial Reporting section of this report.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant\nagreements disclosed one instance of noncompliance, relating to the Debt Collection Improvement Act of\n1996, and one other matter, that are required to be reported under Government Auditing Standards, issued\nby the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin\nNo. 07-04, Audit Requirements for Federal Financial Statements, as amended.\n\nThe following sections discuss our opinion on the SBA\xe2\x80\x99s consolidated financial statements; our\nconsideration of the SBA\xe2\x80\x99s internal control over financial reporting; our tests of the SBA\xe2\x80\x99s compliance\nwith certain provisions of applicable laws, regulations, contracts, and grant agreements; and management\xe2\x80\x99s\nand our responsibilities.\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cU.S. Small Business Administration\nNovember 14, 2012\nPage 2 of 5\n\n\n\n\nOpinion on the Consolidated Financial Statements\nWe have audited the accompanying consolidated balance sheets of the SBA as of September 30, 2012 and\n2011, and the related consolidated statements of net cost, and changes in net position, and the combined\nstatements of budgetary resources for the years then ended.\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of the SBA as of September 30, 2012 and 2011, and its net costs, changes in\nnet position, and budgetary resources for the years then ended, in conformity with U.S. generally accepted\naccounting principles.\n\nAs discussed in Note 15 to the consolidated financial statements, the SBA changed its presentation for\nreporting the combined statement of budgetary resources in fiscal year 2012, based on new reporting\nrequirements under OMB Circular No. A-136, Financial Reporting Requirements. As a result, the SBA\xe2\x80\x99s\ncombined statement of budgetary resources for fiscal year 2011 has been adjusted to conform to the current\nyear presentation.\n\nU.S. generally accepted accounting principles require that the information in the Management\xe2\x80\x99s Discussion\nand Analysis, Required Supplementary Information, and Required Supplementary Stewardship Information\nsections be presented to supplement the basic financial statements. Such information, although not a part of\nthe basic financial statements, is required by the Federal Accounting Standards Advisory Board who\nconsiders it to be an essential part of financial reporting for placing the basic financial statements in an\nappropriate operational, economic, or historical context. We have applied certain limited procedures to the\nrequired supplementary information in accordance with auditing standards generally accepted in the United\nStates of America, which consisted of inquiries of management about the methods of preparing the\ninformation and comparing the information for consistency with management\xe2\x80\x99s responses to our inquiries,\nthe basic financial statements, and other knowledge we obtained during our audits of the basic financial\nstatements. We do not express an opinion or provide any assurance on the information because the limited\nprocedures do not provide us with sufficient evidence to express an opinion or provide any assurance.\n\nOur audits were conducted for the purpose of forming an opinion on the basic financial statements as a\nwhole. The information in the Other Information section is presented for the purposes of additional\nanalysis and is not a required part of the basic financial statements. Such information has not been\nsubjected to the auditing procedures applied in the audits of the basic financial statements, and accordingly,\nwe do not express an opinion or provide any assurance on it.\n\nInternal Control Over Financial Reporting\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct misstatements on a timely basis. A material weakness is a deficiency, or a combination\nof deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a timely basis.\n\nOur consideration of internal control over financial reporting was for the limited purpose described in the\nResponsibilities section of this report and was not designed to identify all deficiencies in internal control\nover financial reporting that might be deficiencies, significant deficiencies, or material weaknesses. In our\n\x0cU.S. Small Business Administration\nNovember 14, 2012\nPage 3 of 5\n\n\n\n\nfiscal year 2012 audit, we did not identify any deficiencies in internal control over financial reporting that\nwe consider to be material weaknesses, as defined above. However, we identified certain deficiencies in\ninternal control over financial reporting described in Exhibit I, related to information technology security\ncontrols, that we consider to be a significant deficiency in internal control over financial reporting. A\nsignificant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe\nthan a material weakness, yet important enough to merit attention by those charged with governance.\n\nExhibit II presents the status of the prior year significant deficiency, which was also related to information\ntechnology security controls.\n\nWe noted certain additional matters that we have reported to management of the SBA in a separate letter\ndated November 14, 2012.\n\nCompliance and Other Matters\nThe results of certain of our tests of compliance as described in the Responsibilities section of this report,\nexclusive of those referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA),\ndisclosed one instance of noncompliance and one other matter that are required to be reported herein under\nGovernment Auditing Standards or OMB Bulletin No. 07-04, and are described below.\n\nDebt Collection Improvement Act of 1996 (DCIA). The DCIA assigns the U.S. Department of Treasury\n(Treasury) the responsibility for collecting delinquent debts (cross servicing) Government-wide. The DCIA\nrequires federal agencies to transfer their nontax debt over 180 days delinquent to Treasury. During our\ntestwork over loan charge-offs, we noted the SBA did not refer obligors (eligible principal borrowers, co-\nborrowers, and/or guarantors) to Treasury for offset or cross-servicing at the time of charge-off, as required\nby DCIA. Exhibit III presents the status of the prior year noncompliance finding, which was also related to\nDCIA.\n\nThe results of our other tests of compliance as described in the Responsibilities section of this report,\nexclusive of those referred to in FFMIA, disclosed no instances of noncompliance and one other matter that\nis required to be reported herein under Government Auditing Standards or OMB Bulletin No. 07-04.\n\nThe results of our tests of FFMIA disclosed no instances in which the SBA\xe2\x80\x99s financial management\nsystems did not substantially comply with the (1) Federal financial management systems requirements, (2)\napplicable Federal accounting standards, and (3) the United States Government Standard General Ledger at\nthe transaction level.\n\nOther Matter: A matter has been identified that may be a violation of the Federal Acquisition Regulation\ndocumentation retention requirements. This matter is currently under review by SBA management and the\nOffice of Inspector General. The outcome of this matter is not presently known.\n\n                                                 *******\n\nResponsibilities\nManagement\xe2\x80\x99s Responsibilities. Management is responsible for the consolidated financial statements;\nestablishing and maintaining effective internal control over financial reporting; and complying with laws,\nregulations, contracts, and grant agreements applicable to the SBA.\n\x0cU.S. Small Business Administration\nNovember 14, 2012\nPage 4 of 5\n\n\n\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the fiscal year 2012 and 2011\nconsolidated financial statements of the SBA based on our audits. We conducted our audits in accordance\nwith auditing standards generally accepted in the United States of America; the standards applicable to\nfinancial audits contained in Government Auditing Standards, issued by the Comptroller General of the\nUnited States; and OMB Bulletin No. 07-04. Those standards and OMB Bulletin No. 07-04 require that we\nplan and perform the audits to obtain reasonable assurance about whether the consolidated financial\nstatements are free of material misstatement. An audit includes consideration of internal control over\nfinancial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but\nnot for the purpose of expressing an opinion on the effectiveness of the SBA\xe2\x80\x99s internal control over\nfinancial reporting. Accordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2     Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n      financial statements;\n\xe2\x80\xa2     Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2     Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2012 audit, we considered the SBA\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of the SBA\xe2\x80\x99s internal control, determining whether\ninternal controls had been placed in operation, assessing control risk, and performing tests of controls as a\nbasis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated\nfinancial statements, but not for the purpose of expressing an opinion on the effectiveness of the SBA\xe2\x80\x99s\ninternal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of\nthe SBA\xe2\x80\x99s internal control over financial reporting. We did not test all controls relevant to operating\nobjectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.\n\nAs part of obtaining reasonable assurance about whether the SBA\xe2\x80\x99s fiscal year 2012 consolidated financial\nstatements are free of material misstatement, we performed tests of the SBA\xe2\x80\x99s compliance with certain\nprovisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a\ndirect and material effect on the determination of the consolidated financial statement amounts, and certain\nprovisions of other laws and regulations specified in OMB Bulletin No. 07-04, including the provisions\nreferred to in Section 803(a) of FFMIA. We limited our tests of compliance to the provisions described in\nthe preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant\nagreements applicable to the SBA. However, providing an opinion on compliance with laws, regulations,\ncontracts, and grant agreements was not an objective of our audit and, accordingly, we do not express such\nan opinion.\n\n                                   ______________________________\n\nThe SBA\xe2\x80\x99s written response to the findings identified in our audit and presented in Exhibit IV was not\nsubjected to the auditing procedures applied in the audit of the SBA\xe2\x80\x99s consolidated financial statements\nand, accordingly, we express no opinion on it.\n\x0cU.S. Small Business Administration\nNovember 14, 2012\nPage 5 of 5\n\n\n\n\nThis report is intended solely for the information and use of the SBA\xe2\x80\x99s management, the SBA\xe2\x80\x99s Office of\nInspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not\nintended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nNovember 14, 2012\n\x0c                                                                                                  Exhibit I\n                                   U.S. Small Business Administration\n                                          Significant Deficiency\n\n\nThe significant deficiency identified in our Fiscal Year (FY) 2012 audit, is summarized below:\n\nImprovement Needed in Information Technology Security Controls\n\nDuring our prior year, FY 2011, financial statement audit, we identified 18 information technology (IT)\ncontrol findings, and recommended many corresponding corrective actions. During the FY 2012 financial\nstatement audit, we found that the U.S. Small Business Administration (SBA) implemented corrective\nactions to remediate 3 of the 18 findings; however, we also identified 9 new IT control findings. Therefore,\nSBA\xe2\x80\x99s IT control environment continues to require improvement.\n\nThe IT control deficiencies that we noted during the FY 2012 audit are summarized below and fall under\nthe following general IT control objectives: security access controls, segregation of duties, security\nmanagement, software configuration management, and contingency planning. We did not provide details\non the specific IT control deficiencies in this report due to sensitivity considerations surrounding the\ninformation systems. We have provided the details in a separate report to SBA management. Exhibit II of\nour report discloses the status of prior year IT findings.\n\nSecurity Access Controls\n\nIntegral to the effectiveness of an organization\xe2\x80\x99s security program management efforts, system security\naccess controls should provide reasonable assurance that IT resources, such as data files, application\nprograms, and IT-related facilities/equipment, are protected against unauthorized modification, disclosure,\nloss, or impairment. Our audit found the following control deficiencies:\n\xe2\x80\xa2   Several high- and medium-risk security vulnerabilities affecting various financial systems.\n\xe2\x80\xa2   A weakness in network access controls.\n\xe2\x80\xa2   The SBA was unable to provide evidence that security incidents are analyzed, validated, and resolved.\n\xe2\x80\xa2   Physical access control procedures can be improved for all financial systems managed at SBA\n    Headquarters (HQ) and one financial system hosted by an SBA service provider. In addition, access to\n    the data centers can be improved.\n\xe2\x80\xa2   Several users had unnecessary access to an SBA financial subsystem.\n\xe2\x80\xa2   User accounts were not reviewed in accordance with SBA policy for five of the seven systems we\n    reviewed.\n\xe2\x80\xa2   Complex and unique password configurations were not implemented and/or enforced.\n\xe2\x80\xa2   User accounts were not disabled or removed promptly upon personnel termination.\n\xe2\x80\xa2   Financial system user accounts and remote access authorizations were not properly authorized.\n\xe2\x80\xa2   Weak controls over the monitoring and review of audit logs for four of the seven systems we reviewed.\n\n\n\n\n                                                    I-1\n\x0c                                                                                                      Exhibit I\n                                   U.S. Small Business Administration\n                                           Significant Deficiency\n\n\nRecommendations \xe2\x80\x93 Security Access Controls:\n\nWe recommend the Chief Information Officer (CIO) coordinates with SBA program offices to:\n\n1. Enhance security vulnerability management processes. Specifically, (a) ensure that servers, operating\n   systems, and databases are properly configured and updated on a routine basis; (b) monitor SBA\n   vulnerability reports for required patches; (c) update systems based on risk determination and threats.\n2. Develop and implement procedures to ensure mandatory domain authentication for Internet Protocol\n   (IP) address issuance.\n3. Fully implement the SBA entity-wide incident management and response program and ensure that\n   procedures are enforced.\n4. Ensure that information systems hosted by the SBA and third parties comply with SBA policy and\n   National Institute of Standards and Technology guidance.\n5. Develop and implement procedures for user access reviews to ensure that proper access rights are set\n   for financial subsystems.\n6. Ensure that all new system users are assigned random passwords and are subsequently required to\n   change their password upon first log-in.\n7. Develop and implement procedures for user access termination to ensure that access for terminated or\n   transferred personnel is removed from systems in a timely manner.\n8. Develop and enforce procedures for user access approvals, including remote access, and retain the\n   evidence of the approvals.\n9. Oversee the review and validation of financial system accounts on a quarterly basis.\n10. Implement a process to monitor the audit logs of all financial applications on a regular basis.\n\nSegregation of Duties\n\nThe primary focus of an organization\xe2\x80\x99s segregation of duties controls is to provide reasonable assurance\nthat incompatible duties are effectively segregated. Without such controls, there is a risk that unauthorized\nchanges could be implemented into the IT environment, and users may have access that is inappropriate for\ntheir duties. As a result, the confidentiality, integrity, and availability of financial data are at risk of\npossible loss, modification, or disclosure. Our audit found the following control deficiencies:\n\xe2\x80\xa2   An authorized user had conflicting access rights in a key financial system.\n\xe2\x80\xa2   Twenty-eight service accounts were not properly restricted with unique log-ins and passwords.\n\xe2\x80\xa2   Users were authorized with conflicting rights as a database administrator (DBA) and system\n    administrator to a financial application hosted by an SBA service provider.\n\n\n\n\n                                                    I-2\n\x0c                                                                                                   Exhibit I\n                                   U.S. Small Business Administration\n                                           Significant Deficiency\n\n\nRecommendations \xe2\x80\x93 Segregation of Duties:\n\nWe recommend the CIO coordinates with the Chief Financial Officer (CFO) to:\n\n11. Restrict access to software programs based on the principle of least privilege, and implement\n    compensating controls over actions where limited resources cause individuals to perform conflicting\n    job functions.\n\n12. Ensure that DBA and system administrator access is restricted through role-based segregation of duties\n    and managed through an effective audit log review process.\n\nSecurity Management\nAn entity-wide information security management program is the foundation of a security control structure\nand a reflection of senior management\xe2\x80\x99s commitment to addressing security risks. This security\nmanagement program should establish a framework and continuous cycle of activity for assessing risk,\ndeveloping and implementing effective security procedures, and monitoring the effectiveness of these\nprocedures. Our audit found the following control deficiency:\n    \xe2\x80\xa2   The CIO had not fully implemented a mandatory training program for IT security personnel.\nRecommendations \xe2\x80\x93 Security Management:\n\nWe recommend the CIO:\n\n13. Updates the position descriptions for IT security personnel to include minimum annual training\n    requirements.\n\n14. Develops and fully implement a comprehensive security education and training program for all IT\n    security personnel, to include a method for monitoring the training program.\n\nSoftware Configuration Management\nThe primary focus of an organization\xe2\x80\x99s software configuration management process is to control the\nsoftware changes made to networks and systems. Without such controls, there is a risk that security\nfeatures could be inadvertently, or deliberately, omitted or turned off, or that processing irregularities or\nmalicious code could be introduced into the IT environment. Our audit noted the following control\ndeficiencies:\n\n\xe2\x80\xa2   The configuration management process is not centralized, and the Enterprise Change Control Board\n    governance processes were not fully implemented across SBA.\n\xe2\x80\xa2   SBA personnel did not provide sufficient evidence to support software change authorizations for one\n    financial system.\n\xe2\x80\xa2   Software changes for one financial subsystem were not tested before being moved to production,\n    which impacted the SBA\xe2\x80\x99s compliance with the Debt Collection Improvement Act of 1996 (DCIA).\n    This issue was reported as a noncompliance matter in the Compliance and Other Matters section of our\n    audit report.\n\n                                                    I-3\n\x0c                                                                                                    Exhibit I\n                                   U.S. Small Business Administration\n                                           Significant Deficiency\n\n\nRecommendations \xe2\x80\x93 Software Configuration Management:\n\nWe recommend the CIO:\n\n15. Enforces an organization-wide configuration management process, to include policies and procedures\n    for maintaining documentation that supports testing and approvals of software changes.\n\nWe recommend the CIO coordinates with the CFO to:\n\n16. Implement configuration management policies and procedures for document retention to include\n    supporting evidence to validate the authorization of operating system changes.\n\nContingency Planning\n\nThe focus of an organization\xe2\x80\x99s contingency planning program should provide reasonable assurance that\ninformation resources are protected and the risk of unplanned interruptions is minimized. Without such\ncontrols, there is a risk that data may be lost or that critical operations may not resume in a timely manner.\nOur audit noted the following control deficiencies:\n\xe2\x80\xa2   Backup tapes necessary to restore system operations were not consistently rotated off-site for four of\n    the seven systems we reviewed.\n\xe2\x80\xa2   Comprehensive contingency plans had not been developed and authorized for one key financial system.\n    In addition, another system\xe2\x80\x99s plan was not updated to reflect the current environment.\n\n\xe2\x80\xa2   Five of the seven contingency plans, which includes the HQ Continuity of Operations Plan (COOP),\n    were documented and approved but were not tested semiannually as prescribed by SBA policy. Two of\n    the plans, which were first authorized in May 2011, had never been tested.\n\n\xe2\x80\xa2   One key financial system lacked adequate recovery capabilities commensurate with the system\xe2\x80\x99s\n    Federal Information Processing Standards Publication 199 categorization.\n\nRecommendations \xe2\x80\x93 Contingency Planning:\n\nWe recommend the CIO:\n\n17. Enforces existing SBA policies to rotate backups off-site.\n\n18. Conducts a Business Impact Analysis, develop and implement the contingency plans, and establish an\n    alternate processing site.\n\nWe recommend the CIO coordinate with the CFO to:\n\n19. Test system-specific plans and the HQ COOP on a frequency consistent with SBA policy.\n\n\n\n\n                                                    I-4\n\x0c                                                                                                    Exhibit II\n                                  U.S. Small Business Administration\n                               Status of Prior Year Significant Deficiency\n\n\nFiscal Year 2011 Finding                             Fiscal Year 2012 Status of Finding\n\nImprovement Needed in Information Technology (IT) During our review of SBA\xe2\x80\x99s IT general and application\nSecurity Controls                                 controls, we noted some improvements made to\n                                                  address prior year findings. However, control\n                                                  deficiencies continue to exist.\n\n                                                     Therefore, in fiscal year 2012, the issue is again\n                                                     presented in Exhibit I. The issue was modified to\n                                                     reflect current year operations, and we continue to\n                                                     report a significant deficiency in internal controls, as it\n                                                     relates to IT systems and the associated impact on the\n                                                     consolidated financial statements.\n\n\n\n\n                                                   II-1\n\x0c                                                                                                    Exhibit III\n                                     U.S. Small Business Administration\n                                      Status of Prior Year Noncompliance\n\n\nFiscal Year 2011 Finding                                 Fiscal Year 2012 Status of Finding\n\nDebt Collection Improvement Act of 1996 (DCIA)\n\nDuring our Fiscal Year (FY) 2011 audit, we noted the     During our review over SBA\xe2\x80\x99s compliance with the\nagency was noncompliant with the DCIA. The               DCIA, we noted improvements made in SBA\xe2\x80\x99s\nnoncompliance was due to instances where SBA did         Treasury cross-servicing referral process. However,\nnot refer a substantial number of charged-off loans to   during FY 2012, we noted instances of noncompliance\nthe Treasury for cross-servicing.                        related to timely referrals of loan charge-offs to\n                                                         Treasury for offset and cross-servicing. We also noted\n                                                         that the approximately 5,000 eligible obligors\n                                                         identified in FY 2011 have not been properly referred\n                                                         to the Treasury as of FY 2012.Therefore, in FY2012,\n                                                         the issue is again presented in the Compliance and\n                                                         Other Matters section of our Independent Auditors\xe2\x80\x99\n                                                         Report.\n\n                                                         We recommend the Associate Administrator for\n                                                         Capital Access 1:\n\n                                                         20. Conducts training to educate loan center staff on\n                                                             the proper steps to refer obligors to the Treasury\n                                                             through the system and how to correct errors after\n                                                             loans have been referred to Treasury.\n                                                         21. Considers implementing a process to monitor loans\n                                                             that reach 150 days delinquent to ensure, that at\n                                                             180 days, the loans are properly referred to the\n                                                             Treasury.\n                                                         22. Continues to work with the Treasury to refer the\n                                                             more than 5,000 co-borrowers and guarantors that\n                                                             were not referred in FY 2011.\n                                                         23. Continues to review system protocol to identity\n                                                             any other coding problems which may cause\n                                                             untimely referral of loans.\n                                                         24. Implements quarterly monitoring reviews to\n                                                             identify all charged-off loans where the automatic\n                                                             referral did not occur.\n\n\n\n\n1\n  The recommendations listed in this exhibit were sequenced after the recommendations presented on Exhibit I, IT\nSignificant Deficiency, to assist users of this report tracking the number of recommendations presented.\n\n\n                                                      III-1\n\x0c                                                                                                  Exhibit IV\n\n\n\n\n               CFO Response to Draft Audit Report on FY 2012 Financial Statements\n\nDATE:           November 14, 2012\n\nTO:             John Needham, Assistant IG for Auditing\n\nFROM:           Jonathan Carver, Chief Financial Officer\n\nSUBJECT:        Draft Audit Report on FY 2012 Financial Statements\n\nThe Small Business Administration has received the draft Independent Auditors\xe2\x80\x99 Report from KPMG that\nincludes the auditor\xe2\x80\x99s opinion on the financial statements and its review of the Agency\xe2\x80\x99s internal control over\nfinancial reporting and compliance with laws and regulations. The independent audit of the Agency\xe2\x80\x99s financial\nstatements and related processes is a core component of SBA\xe2\x80\x99s financial management program.\n\nWe are pleased that the SBA has again received an unqualified audit opinion from the independent auditor\nwith no material weaknesses. We believe these results accurately reflect the quality of the Agency\xe2\x80\x99s financial\nstatements and our improved accounting, budgeting and reporting processes. As you know, the SBA has\nworked hard in past years to address the findings from our independent auditor. Our core financial reporting\ndata and processes have further improved, and we are proud that the results of our efforts have been\nconfirmed by the independent auditor.\n\nThe audit report includes a continuing significant deficiency in SBA\xe2\x80\x99s information technology controls. As the\nauditor noted in the report on the FY 2012 financial statements, the SBA implemented corrective action this\nyear to remediate 3 of the 18 prior year IT control findings. The auditor, however, identified 9 new IT findings\nthis year and re-issued one NFR related to it. The SBA will continue to work on improvements in IT\nsecurity. The SBA will track, monitor, and aggressively mitigate vulnerabilities in all Agency\nsystems. Furthermore, the SBA will clarify and strengthen detailed procedures required to ensure security\naccess controls are in place to protect SBA data from unauthorized modification, disclosure, and loss.\n\nThe auditor reported again this year that the SBA is not compliant with the Debt Collection Improvement Act of\n1996 related to timely referral of charged-off loans to the Department of the Treasury for its tax refund offset\nand collection programs. Although the SBA made improvements to correct systemic errors identified last year,\nthe auditor again found instances of charged-off loans where co-borrowers and guarantors were not referred\nto Treasury. The SBA is working on procedures to correct this issue.\n\nThe audit report includes one other matter that may be a violation of the Federal Acquisition Regulation\ndocumentation retention requirements. This is the second year since the SBA transferred the procurement\nfunctions to the Office of the Chief Financial Officer. The FY 2012 review of internal controls over financial\nreporting revealed that, while there was considerable improvement in the contracting area, more time and\nresources will be required to resolve all outstanding issues. These include formalizing the acquisition process\nand related requirements through Agency-wide Standard Operating Procedures, ensuring all contracting\ndocuments are signed by appropriate authorized individuals, and ensuring that invoices are reviewed by\nappropriate parties before payment is disbursed. The Agency takes this matter very seriously and we have\nalready taken steps to make further improvements.\n\nWe appreciate all of your efforts and those of your colleagues in the Office of the Inspector General as well as\nthose of KPMG. The independent audit process continues to provide us with new insights and valuable\nrecommendations that will further enhance SBA\xe2\x80\x99s financial management practices. We continue to be\ncommitted to excellence in financial management and look forward to making more progress in the coming\nyear.\n\x0c'